Health
Insurance Portability
and Accessibility Act
(HIPAA)
HIPAA NEWS (as of 2/16/06)
Issued by Office of E-Health Standards and Services, Centers for Medicare and Medicaid Services, US Department of Health and Human Services
On February 16, 2006, the Final Rule on HIPAA Enforcement was published in the Federal Register. The regulation can be viewed at:
http://a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/2006/pdf/06-1376.pdf
The Final Rule adopts the complete regulatory structure for implementing the civil money penalty authority of the Administrative Simplification part of HIPAA (SSA, section 1176), completing the structure begun when the Privacy Rule was issued in 2000 and expanded by the interim final procedural enforcement rules issued in 2003. The Final Rule covers the enforcement process from its beginning, which will usually be a complaint or a compliance review, through its conclusion. A complaint or compliance review may result in informal resolution, a finding of no violation, or a finding of violation. If a finding of violation is made, a civil money penalty will be sought for the violation, which can be challenged by the covered entity through a formal hearing and appellate review process.
These rules apply to covered entities that violate any of the rules implementing the Administrative Simplification provisions of HIPAA.
You can subscribe to
the HIPAA Regulations listserv of the US Department of Health and Human Services to directly receive further updates. Information on subscribing to or unsubscribing from this listserv can be found at:
What is HIPAA?
HIPAA stands for the Health Insurance Portability & Accountability Act of 1996 (Public Law 104-191), which amends the Internal Revenue Service Code of 1986. It is also known as the Kennedy-Kassebaum Act.
What does HIPAA do?
HIPAA calls for sweeping changes in most healthcare transaction and administrative information systems.
The regulations are a comprehensive set of requirements for:
- obtaining consent to use patient health care information;
- advising the patient of the patient’s rights to know the uses made of patient health care information;
- maintaining the confidentiality of patient health care information; and
- insuring that each health care provider or health care provider organization has procedures and personnel designated to educate providers about and to properly maintain health care data in accordance with the regulations.
The regulations are extensive and complex. Essentially they create:
-
Standardization of all electronic patient health, administrative and financial data
-
Unique health identifiers for individuals, employers, health plans and health care providers
-
Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future
Who is affected?
All healthcare organizations. This includes all health care providers, physician offices, health plans, employers, public health authorities, EMS agencies, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
Compliance Deadlines
Most entities have 24 months from the effective date of the final rules to achieve compliance:
-
Transactions Rule -
Published on August 17, 2000. Compliance date - October 16, 2002. -
Privacy Rule -
Published on December 28, 2000. (Due to minor glitch the rule didn't become effective until April 14, 2001.) Compliance - April 14, 2003. -
Security Rule -
Published on February 14, 2003. Compliance date - February 14, 2005. -
National Provider Identifier (NPI) Rule -
Published on January 23, 3004. Compliance date - May 23, 2005
Meeting the requirements is expected to require a significant effort. All EMS operations need to understand and be prepared to comply with these regulatory requirements on or before the deadline.
Penalties
The HIPAA rules call for severe civil and criminal penalties for non-compliance, including:
- fines up to $25K for multiple violations of the same standard in a calendar year
- fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.
More information
The following websites offer more information regarding HIPAA, covered entities and compliance strategies:
Government:
- New York State
Department of Health (NYSDOH)
http://www.health.state.ny.us/nysdoh/medicaid/hipaa/faq.htm. - US DHHS Center
for Medicaid and Medicare Services (CMS).
http://cms.hhs.gov/hipaa. - US DHHS Health
Research Services Administration (HRSA).
http://www.hrsa.gov/website.htm#overview. - US DHHS
Substance Abuse and Mental Health Services Administration (SAMHSA)
http://hipaa.samhsa.gov/hipaa.html
Private sites:
- Gartner Research's encryption questions and answers
- Page, Wolfberg
& Wirth (PWW)- the EMS Law Firm. Offer educational and
operational packages for compliance.
http://www.pwwemslaw.com - http://www.hipaaconsulting.com/ Includes a glossary of terms, news, timelines, and a HIPAA readiness assessment tool.
- http://www.hipaadvisory.com provides excellent overviews of HIPAA standards, informative articles, and up-to-date news briefs.
- http://www.hipaacomply.com/ includes links, news, timelines, discussion tools, legislation, and events.
- http://www.olcsoft.com/hipaa_links.asp provides dozens of additional links and resources on HIPAA.